"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."
Get the resources you need to start building today
Microsoft chose Payload to tell the world about AI.
Payload w/ Supabase Auth
Has anyone successfully integrated supabase auth into their payload project?
I want to use supabase auth with my payload project to take advantage of all the social logins & 2fa, mobile login feature supabase auth provides (and RLS), but continue to use payload for collection management and access control (i.e. users from the supabase auth db that aren't 'admin' can access some collections but not all).
Current plan is to create a new users table in the supabase
publicschema that is managed by payload, but references
auth.users, with
authenabled. I will then use a custom strategy to call supabase auth APIs in the
authenticateoverride function in the custom strategy.
Haven't tested yet - anyone know if this is enough?
Using the 3.0 NextJS beta if that makes a difference.
Had a quick search through the discord history but didn't find anything comprehensive
Are you trying to setup oauth for the admin or the app?
Well, both ideally
this plugin currently supports admin oauth, and I am working on the frontend auth as we speak. I will release soon enough
https://www.npmjs.com/package/payload-auth-plugin
I’m new to Payload, so I have a lot to learn. I’m also considering the authentication strategy for my next project. I’m not sure if I need Supabase for authentication or if I can rely on Payload’s auth logic for other parts of my app.
Ideally, I would have one Next.js app that includes both my marketing site and the app itself. As the super admin, I would use Payload CMS to manage various parts of the app, like a simple database GUI. I’d also set up an editor role, who can only publish and edit articles on the marketing site. Additionally, there would be an ‘app dashboard’ section where users can log in, register, and use the SaaS.
Can Payload’s auth logic handle all authentication for everything, or would I need two separate authentication strategies?
Payload auth is only for admin side not for frontend side
What would be your approach to front-end authentication? Do you recommend creating a separate table in our database for SaaS app users? I want to ensure that data from different strategies doesn’t get mixed up.
Additionally, would you suggest using a library like NextAuth or another authentication solution to manage authentication and authorization for the SaaS aspect?
that's kinda misleading
you can use payload auth for the frontend.
@777864119083728916check this repo for inspiration
https://github.com/bathrobe/payload-3-auth-starter/tree/maini've done pretty much the same, basically having one Users collection with different roles. only admins can access the admin panel
You can tweak it all you want and this looks good but there's no default way.
- @331906168375083008
Thanks for pointing me to the right direction.
For anyone coming here looking for the answer to my original question, this is how I've achieved it.
1. Use a payload collection as an auth collection, e.g. users
2. Follow [this guide from supabase](
https://supabase.com/docs/guides/auth/managing-user-data#accessing-user-data-via-api) to add a trigger that, for every new user created by supabase auth, inserts a row into your payload user collection
2. Implement a custom
authorizefunction in your payload user collection which calls supabase
.getUser()- this refreshes the auth session, if there isn't one, redirect to login. From the supabase auth response, lookup user from payload users collection by email/ID
3. Return user if found, null if not
This works for any of the supabase supported OAuth providers, and will still allow you to set permissions on payload users, and handle in collection access controls accordingly.
So it's kinda using supabase auth for authentication, and payload for authorization.
This is quite clever. Kudos. This also got me wondering if the reverse is also practical - as in creating a user using Payload API's then using a hook to sync to Supabase auth
Thanks for sharing
@432119459591880706I followed the guide you linked but I couldn't get things working completely. Did you have a uuid id column in your user table by any chance that was linked to the auth user? Or did you make a new collection? Mine just gets overridden by payload when I run my dev server.
Do you think I could take a look at your implementation?
Yeah - in my Payload
userscollection I have the id column that's handled by payload, and a
superbase_auth_idcolumn which I populate using the id from the Supabase
auth.userstable.
-- inserts a row into public.profiles create or replace function public.handle_new_user() returns trigger language plpgsql security definer set search_path = '' as $$ begin insert into public.users (supabase_auth_id, email, created_at, updated_at) values (new.id, new.email, new.created_at, new.updated_at); return new; end; $$;- @432119459591880706
Ah yh thanks. I think because I used the web template my head was going in circles a bit. I managed to get it working now. Thank you 🙌🏻
Nice! Give me a shout if you get stuck again!
- @432119459591880706
Actually there was one other thing. So when supabase runs it's trigger to add the new user to the payload users table, I don't think it triggers any of payloads hooks.
I am trying to create a stripe customer as a side effect of the supabase trigger and the only way I can think of that would work is with a webhook. Unless you know of a different way?
I am using a separate customer table.
I ended up realising that we don't even need the trigger in supabase. We can do everything on sign up with payload 🙂
@432119459591880706Are you handling the auth cookies with supabase or with payload?
I'm using supabase auth cookies
How are you managing the issue of auth on the users collection then if you need to update user details etc? For me it was showing me an error about an email or something along those lines. So the only solution I could find to be able to write to the collection with the local api was by disabling auth which doesn't seem safe 🫠
@432119459591880706I'm implementing things in the same way you are, and your guide is awesome. However, does RLS work with the above methods for you? I want my admin dashboard to obey the same RLS rules i have for my end users
RLS should work, as it's on the DB level, although you might need to use the supabase DB client to correctly pass the key. Not 100% sure though - I've disabled the Supabase Data API so I've not implemented any RLS policies.
I'm only accessing tables via Payload (i.e. Drizzle) on the server, so no need for the public API
Did you find a solution to this?
Hey Engin. Been a while since I've revisited it but will let you know as I am planning to do some more work on the project.
Star
Discord
online
Get dedicated engineering support directly from the Payload team.